10 matches found
Improper Origin Validation
Bokeh is vulnerable to improper origin validation. The vulnerability is due to flawed allowlist matching of the WebSocket Origin header, which allows an attacker to register a look-alike domain or subdomain that bypasses origin checks and establish a WebSocket connection to the Bokeh server...
SUSE CVE-2026-21883
Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist e.g., dashboard.corp, an attacker can register a domain like dashboard.corp.attacker.com or use a subdomain if applicable and lure a victim to visit it. The...
CVE-2026-21883 Bokeh server applications have Incomplete Origin Validation in WebSockets
Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist e.g., dashboard.corp, an attacker can register a domain like dashboard.corp.attacker.com or use a subdomain if applicable and lure a victim to visit it. The...
EUVD-2026-1036
Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist e.g., dashboard.corp, an attacker can register a domain like dashboard.corp.attacker.com or use a subdomain if applicable and lure a victim to visit it. The...
CVE-2026-21883 Bokeh server applications have Incomplete Origin Validation in WebSockets
Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist e.g., dashboard.corp, an attacker can register a domain like dashboard.corp.attacker.com or use a subdomain if applicable and lure a victim to visit it. The...
CVE-2026-21883
Bokeh server (Python) CVE-2026-21883 affects 3.8.1 and earlier. Incomplete origin validation in WebSockets due to a flawed host matching in the allowlist enables an attacker to lure a victim to a malicious domain (e.g., dashboard.corp.attacker.com) and initiate a WebSocket connection, potentially...
PT-2026-2119
Name of the Vulnerable Software and Affected Versions Bokeh versions 3.8.1 and below Description Bokeh is an interactive visualization library written in Python. If a server is configured with an allowlist, an attacker can register a domain and lure a victim to visit it. The malicious site can th...
bokeh 安全漏洞
bokeh is a Python library for data visualization from Bokeh open source. A security vulnerability exists in bokeh 3.8.1 and earlier versions, which stems from a misconfiguration of the allowed list and could lead to an attacker interacting with the Bokeh server...
GHSA-793V-589G-574V Bokeh server applications have Incomplete Origin Validation in WebSockets
This vulnerability allows for Cross-Site WebSocket Hijacking CSWSH of a deployed Bokeh server instance. Scope This vulnerability is only relevant to deployed Bokeh server instances. There is no impact on static HTML output, standalone embedded plots, or Jupyter notebook usage. This vulnerability...
Bokeh server applications have Incomplete Origin Validation in WebSockets
This vulnerability allows for Cross-Site WebSocket Hijacking CSWSH of a deployed Bokeh server instance. Scope This vulnerability is only relevant to deployed Bokeh server instances. There is no impact on static HTML output, standalone embedded plots, or Jupyter notebook usage. This vulnerability...